In the past few years, Windows win32k privilege escalation vulnerabilities have emerged in an endless stream. Researchers discovered new attack surfaces such as win32k Callback, DirectX, DirectComposition, etc. Even so, it’s still difficult to discover new vulnerabilities inside win32k attack surface. Are there still other attack surfaces inside the windows graphics component?
Desktop Window Manager (DWM.EXE) is the compositing window manager in Microsoft Windows since Windows Vista that enables the use of hardware acceleration to render the graphical user interface of Windows. We found that this process has high privileges, users with low privileges can interact with the DWM process, which create a very large attack surface. However, there’re not too much research on this attack surface. We found 10 bugs inside the dwm process, all of these bugs were reported to Microsoft and got acknowledgements.
In this talk, we will first introduce the basic architecture of the Desktop Window Manager, and explain how low privileged users interact with the dwm process. We will also introduce some special features found in the DWM process through reverse engineering, such as restart recovery, exception handling, etc. We will disclose some vulnerabilities we found, and you will gain a better understanding of this attack surface. Finally, we’ll make a conclusion and share our opinions on this attack surface, and also the speculation on the future security of the Desktop Window Manager process.
Vulnerabilities of DirectComposition UserSpace
This part is the key content of our speech. We will use 5 vulnerability cases we found as an explanation.
- CVE-2022-21852: DWM Core Library Expression Object Out Of Bound Access Vulnerability
- CVE-2022-21896: DWM Core Library Untrust Pointer Reference Vulnerability
- CVE-2022-21902: DWM Core Library Animation Object Out Of Bound Access Vulnerability
- CVE-2022-21994: DWM Core Library Animation Object Type Confusion Vulnerability
- CVE-2022-23288: DWM Core Library Proxy Object Use After Free Vulnerability
- CVE-2022-37970: DWM Core Library Injection Data Out Of Bound Access Vulnerability
Our presentation will leave attendees with the following takeaways:
- Understanding the details of DirectComposition, including the implementation of user mode and kernel mode, especially how the user process communicates with Desktop Window Manager process. There are many security issues in the process of shared memory communication.
- Introduce the two ways that we find these vulnerabilities, manual code auditing + Fuzzing. Audience will know how we designed our fuzzer and the vulnerabilities found by the fuzzer. Some of the bugs can’t found by fuzzer, the audience will know advantages and disadvantages between fuzzers and manual code auditing.
- Audience will know the details of the vulnerabilities, the rootcause of these bugs, most of these vulnerabilities exist in dwmcore.dll module, many of them are exploitable, and the quality is very high. Since everyone’s attention is focused on the kernel side, the user-mode code is rarely been audited.